Friday, October 15, 2010

Digital Signature in REST Services to maintain the integrity of sensitive data in URI

When we think about REST web service, we all have heard this recommendation that we had better keep the application state on the client side, if the data regarding to the application state is not that large, then we can put that data in the URI, if you decide to do that to manage the state, then you need to have some kind of checking to make sure that state data has not been tampered. one option is using digital signature.
We are going to use signature to maintain the integrity of sensitive data contained in the URI. To detect tampering, we compute the digital signature of the data in the URI using hash algorithms like HMACMD5 and then encode using base64 and then put that signature in the URL as another query parameter.